GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-04-03 21:50:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543216A7A384 rev.ES1OA70F 149,05GB Running: xygpsmmz.exe; Driver: C:\Users\Marek\AppData\Local\Temp\kwddikog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88004428d64 12 bytes {MOV RAX, 0xfffffa8004fb62a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076882da4 5 bytes JMP 0000000167cd9ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007689cbf3 5 bytes JMP 0000000167e28f36 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007689cfca 5 bytes JMP 0000000167c31893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000768bcb0c 5 bytes JMP 0000000167e28ed1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000768bce64 5 bytes JMP 0000000167e28f9b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000768cfbd1 5 bytes JMP 0000000167e28e58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000768cfc9d 5 bytes JMP 0000000167e28ddf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000768cfcd6 5 bytes JMP 0000000167e28d7b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000768cfcfa 5 bytes JMP 0000000167e28d17 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000751e93ec 5 bytes JMP 0000000167e29150 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e61465 2 bytes [E6, 74] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e614bb 2 bytes [E6, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000006ebe388e 5 bytes JMP 0000000167e29000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 000000006ec87922 5 bytes JMP 0000000167e290a8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1312] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000075072694 5 bytes JMP 0000000167e29348 ? C:\Windows\system32\mssprxy.dll [1312] entry point in ".rdata" section 000000006b7e71e6 ? C:\Windows\System32\NLSData0000.dll [1312] entry point in ".rdata" section 00000000646cc541 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000772e25fd 6 bytes JMP 0000000167cf8054 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 00000000772f2a63 6 bytes JMP 0000000167c9980d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\kernel32.dll!CreateThread 0000000074bf34b5 5 bytes JMP 0000000167c975e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076878a29 5 bytes JMP 0000000167d003df .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007687d22e 5 bytes JMP 0000000167ca3643 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007688291f 5 bytes JMP 0000000167c7ddb3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076882da4 5 bytes JMP 0000000167cd9ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076886285 5 bytes JMP 0000000167cf7ff1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076887603 5 bytes JMP 0000000167cd25b4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 000000007688b029 5 bytes JMP 0000000167e292d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 000000007688c63e 5 bytes JMP 0000000167e29310 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000768950ed 5 bytes JMP 0000000167e299d2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000076895246 5 bytes JMP 0000000167e29268 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!EndDialog 000000007689b99c 5 bytes JMP 0000000167e29ca6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 000000007689c701 5 bytes JMP 0000000167e299fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007689cbf3 5 bytes JMP 0000000167e28f36 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007689cfca 5 bytes JMP 0000000167c31893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007689eb96 5 bytes JMP 0000000167c7dedd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007689f52b 5 bytes JMP 0000000167d1ed14 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!SendInput 000000007689ff4a 5 bytes JMP 0000000167e2a269 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000768a10dc 5 bytes JMP 0000000167e292a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000768a14b2 5 bytes JMP 0000000167e2a2c1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!SetCursorPos 00000000768b9cfd 5 bytes JMP 0000000167e2a342 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000768bcb0c 5 bytes JMP 0000000167e28ed1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000768bce64 5 bytes JMP 0000000167e28f9b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000768cfbd1 5 bytes JMP 0000000167e28e58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000768cfc9d 5 bytes JMP 0000000167e28ddf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000768cfcd6 5 bytes JMP 0000000167e28d7b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000768cfcfa 5 bytes JMP 0000000167e28d17 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768d02bf 5 bytes JMP 0000000167e2a226 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076706143 5 bytes JMP 0000000167e29704 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075183e59 5 bytes JMP 0000000167e297fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075183eae 5 bytes JMP 0000000167e2987a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075184731 5 bytes JMP 0000000167e2976e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075185dee 5 bytes JMP 0000000167e2981a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000751e93ec 5 bytes JMP 0000000167e29150 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e61465 2 bytes [E6, 74] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e614bb 2 bytes [E6, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000006ebe388e 5 bytes JMP 0000000167e29000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 000000006ec87922 5 bytes JMP 0000000167e290a8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000750633a3 5 bytes JMP 0000000167e293ec .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000075072694 5 bytes JMP 0000000167e29348 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3892] C:\Windows\syswow64\comdlg32.dll!PrintDlgA 000000007507e8ff 5 bytes JMP 0000000167e294b8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe[1932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e61465 2 bytes [E6, 74] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe[1932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e614bb 2 bytes [E6, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000772e25fd 6 bytes JMP 0000000167cf8054 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 00000000772f2a63 6 bytes JMP 0000000167c9980d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\kernel32.dll!CreateThread 0000000074bf34b5 5 bytes JMP 0000000167c975e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076878a29 5 bytes JMP 0000000167d003df .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007687d22e 5 bytes JMP 0000000167ca3643 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007688291f 5 bytes JMP 0000000167c7ddb3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076882da4 5 bytes JMP 0000000167cd9ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076886285 5 bytes JMP 0000000167cf7ff1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076887603 5 bytes JMP 0000000167cd25b4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 000000007688b029 5 bytes JMP 0000000167e292d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 000000007688c63e 5 bytes JMP 0000000167e29310 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000768950ed 5 bytes JMP 0000000167e299d2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000076895246 5 bytes JMP 0000000167e29268 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!EndDialog 000000007689b99c 5 bytes JMP 0000000167e29ca6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 000000007689c701 5 bytes JMP 0000000167e299fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007689cbf3 5 bytes JMP 0000000167e28f36 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007689cfca 5 bytes JMP 0000000167c31893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007689eb96 5 bytes JMP 0000000167c7dedd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007689f52b 5 bytes JMP 0000000167d1ed14 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!SendInput 000000007689ff4a 5 bytes JMP 0000000167e2a269 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000768a10dc 5 bytes JMP 0000000167e292a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000768a14b2 5 bytes JMP 0000000167e2a2c1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!SetCursorPos 00000000768b9cfd 5 bytes JMP 0000000167e2a342 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000768bcb0c 5 bytes JMP 0000000167e28ed1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000768bce64 5 bytes JMP 0000000167e28f9b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000768cfbd1 5 bytes JMP 0000000167e28e58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000768cfc9d 5 bytes JMP 0000000167e28ddf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000768cfcd6 5 bytes JMP 0000000167e28d7b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000768cfcfa 5 bytes JMP 0000000167e28d17 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768d02bf 5 bytes JMP 0000000167e2a226 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076706143 5 bytes JMP 0000000167e29704 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075183e59 5 bytes JMP 0000000167e297fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075183eae 5 bytes JMP 0000000167e2987a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075184731 5 bytes JMP 0000000167e2976e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075185dee 5 bytes JMP 0000000167e2981a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000751e93ec 5 bytes JMP 0000000167e29150 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e61465 2 bytes [E6, 74] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e614bb 2 bytes [E6, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000006ebe388e 5 bytes JMP 0000000167e29000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 000000006ec87922 5 bytes JMP 0000000167e290a8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000750633a3 5 bytes JMP 0000000167e293ec .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000075072694 5 bytes JMP 0000000167e29348 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4368] C:\Windows\syswow64\comdlg32.dll!PrintDlgA 000000007507e8ff 5 bytes JMP 0000000167e294b8 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff88001090650] \SystemRoot\System32\Drivers\spdl.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010905dc] \SystemRoot\System32\Drivers\spdl.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800105b35c] \SystemRoot\System32\Drivers\spdl.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800105b224] \SystemRoot\System32\Drivers\spdl.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800105ba24] \SystemRoot\System32\Drivers\spdl.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800105bba0] \SystemRoot\System32\Drivers\spdl.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800488c2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800488c2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800488c2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa800488c2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa800488c2c0 Device \FileSystem\Ntfs \Ntfs fffffa80048922c0 Device \FileSystem\fastfat \Fat fffffa80055ff2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004fb82c0 Device \Driver\USBSTOR \Device\00000084 fffffa8004e412c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004dbc2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8004fb82c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004fb82c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80048882c0 Device \Driver\volmgr \Device\FtControl fffffa80048882c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80048882c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80048882c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80048882c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{FBA1AFB4-F4FA-414B-9B5D-AF85B542B474} fffffa8004dea2c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa80048882c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004dea2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800488c2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8004fb82c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800488c2c0 Device \Driver\USBSTOR \Device\00000083 fffffa8004e412c0 Device \Driver\atapi \Device\ScsiPort2 fffffa800488c2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800488c2c0]<< spdl.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa800488c2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c74060] fffffa8004c74060 Trace 3 CLASSPNP.SYS[fffff88001ae543f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80049b3680] fffffa80049b3680 Trace \Driver\atapi[0xfffffa80049a1cd0] -> IRP_MJ_CREATE -> 0xfffffa800488c2c0 fffffa800488c2c0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1684:2608] 000007fefbb62a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1684:3376] 000007fee9f3d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1684:4072] 000007fef9765124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0xE7 0xF5 0x8F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0xE7 0xF5 0x8F ... ---- EOF - GMER 2.1 ----